Securing Redis

Redis is a key-value database, which describes itself as “an open source, BSD licensed, advanced key-value cache and store”. Sensu uses Redis for storing persistent data. Two Sensu services, the server and API, require access to the same instance of Redis to function.

This guide will discuss best practices to use with Redis for use with Sensu.

Objectives

Redis General Security Model

Redis was designed to be accessed by trusted clients inside a closed network environment. As such it is recommended that Redis instances not be directly exposed to the internet or have access in general to untrusted clients that can directly connect to the Redis TCP port or UNIX socket.

NOTE: As of Sensu 1.3.0, TLS is now supported, allowing you to encrypt your traffic between Sensu and Redis when being used as a Transport or Datastore.

Securing Redis with a Local Installation of Sensu

For instances where you will be running Redis on the same host that you will be running Sensu, you can configure Redis to listen to the localhost only on the host loopback IP address.

To accomplish this you will need to edit /etc/redis/redis.conf with the following line:

bind127.0.0.1

After making the above change, you will need to restart the Redis service.

Securing Redis via Localhost Security

Redis Configuration

The Redis documentation recommends limiting access to the TCP port Redis uses. By default Redis uses the following ports:

6379 For standalone Redis instances

16379 For clustered Redis instances

26379 For Sential instances

We recommend binding to the host IP address instead of binding to all IP’s on the host. This can be accomplished by configuring bind to the IP address in /etc/redis/redis.conf:

bind192.168.50.41

After making the change you will need to restart the Redis service so the changes take effect.

Host Configuration

Once Redis is bound to the IP address you can then limit access to its specific IP/port using internal security tools such as host firewalls, networking ACL or other methods of locking down access to a specific host/port.

About Sensu

The Sensu monitoring event pipeline empowers businesses to automate their monitoring workflows and gain deep visibility into their multi-cloud infrastructure, from Kubernetes to bare metal. Companies like Sony, Box.com, and Activision rely on Sensu to help deliver value faster, at scale.